Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 02:16

General

  • Target

    a7f52148e5518fbedbedd9097ed70183.exe

  • Size

    114KB

  • MD5

    a7f52148e5518fbedbedd9097ed70183

  • SHA1

    50ccb973e8f65810edbf951c3e50e2304e5bb69d

  • SHA256

    2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6

  • SHA512

    f2d2dc873bef9fe1096221ce046db358c9d3af3f573f484e7324f8b1e3e369059f0948a4b313a9d0f5aca6160e5d2d4dbb5fa3c75953319077be984d99677c43

  • SSDEEP

    3072:H7hqiAJzrGZCDIBBIUmbv9fhnz8bGlaKfn4yxzjxS:HlAJXGZoIBiU0v9fZwbGxvbK

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 20 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Modifies security service 2 TTPs 22 IoCs
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 22 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe
    "C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:5044
    • C:\Windows\SysWOW64\nod64.exe
      C:\Windows\system32\nod64.exe 1164 "C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:2220
      • C:\Windows\SysWOW64\nod64.exe
        C:\Windows\system32\nod64.exe 1168 "C:\Windows\SysWOW64\nod64.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1684
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:2520
        • C:\Windows\SysWOW64\nod64.exe
          C:\Windows\system32\nod64.exe 1136 "C:\Windows\SysWOW64\nod64.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3308
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2792
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:1348
          • C:\Windows\SysWOW64\nod64.exe
            C:\Windows\system32\nod64.exe 1140 "C:\Windows\SysWOW64\nod64.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:932
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3628
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:2056
            • C:\Windows\SysWOW64\nod64.exe
              C:\Windows\system32\nod64.exe 1144 "C:\Windows\SysWOW64\nod64.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3304
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:732
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:4376
              • C:\Windows\SysWOW64\nod64.exe
                C:\Windows\system32\nod64.exe 1148 "C:\Windows\SysWOW64\nod64.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:5108
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2480
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:2204
                • C:\Windows\SysWOW64\nod64.exe
                  C:\Windows\system32\nod64.exe 1152 "C:\Windows\SysWOW64\nod64.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3056
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                      PID:4044
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        10⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:2332
                    • C:\Windows\SysWOW64\nod64.exe
                      C:\Windows\system32\nod64.exe 1160 "C:\Windows\SysWOW64\nod64.exe"
                      9⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:1080
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        10⤵
                          PID:3856
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            11⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:680
                        • C:\Windows\SysWOW64\nod64.exe
                          C:\Windows\system32\nod64.exe 1172 "C:\Windows\SysWOW64\nod64.exe"
                          10⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:3324
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c c:\a.bat
                            11⤵
                              PID:3220
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                12⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:2268
                            • C:\Windows\SysWOW64\nod64.exe
                              C:\Windows\system32\nod64.exe 1176 "C:\Windows\SysWOW64\nod64.exe"
                              11⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              PID:2672
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c c:\a.bat
                                12⤵
                                  PID:552
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    13⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:4964

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            1011B

            MD5

            5088b4be1b90717121e76c1fc33c033a

            SHA1

            090676b012c30e6b0d6493ca1e9a31f3093cad6f

            SHA256

            d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a

            SHA512

            0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            1KB

            MD5

            584f47a0068747b3295751a0d591f4ee

            SHA1

            7886a90e507c56d3a6105ecdfd9ff77939afa56f

            SHA256

            927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

            SHA512

            ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            8d6eb64e58d3f14686110fcaf1363269

            SHA1

            d85c0b208716b400894ba4cb569a5af4aa178a2f

            SHA256

            c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5

            SHA512

            5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            9e5db93bd3302c217b15561d8f1e299d

            SHA1

            95a5579b336d16213909beda75589fd0a2091f30

            SHA256

            f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

            SHA512

            b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            501effddf60a974e98b67dc8921aa7e8

            SHA1

            734dfe4b508dbc1527ec92e91821a1251aec5b2e

            SHA256

            672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

            SHA512

            28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            300B

            MD5

            9e1df6d58e6c905e4628df434384b3c9

            SHA1

            e67dd641da70aa9654ed24b19ed06a3eb8c0db43

            SHA256

            25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

            SHA512

            93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            1c6131354c6987300ea512b765475b82

            SHA1

            2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53

            SHA256

            3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640

            SHA512

            b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            208B

            MD5

            67a0c98a371995d5434cb9788ee1c42f

            SHA1

            7171d3dca52f038ca9d9e8b13f356462dbc8f3cc

            SHA256

            2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3

            SHA512

            f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            815B

            MD5

            fadf3805f68986d2ee9c82f560a564e4

            SHA1

            87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6

            SHA256

            d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759

            SHA512

            e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            ad9e5e67282bb74482c05e3bf2eb188b

            SHA1

            10b02442ea4b1151a2334645c3e290a82ecfad1f

            SHA256

            7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f

            SHA512

            b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            112B

            MD5

            a7784814f96f4d714d70f0a64afd3520

            SHA1

            4204eb27ed46350f6608fe1717bb8ef745b94732

            SHA256

            c0040494b6a8c2f40ab157ccc5be9e99cbb7bb285fa39131f340a8501758b0fc

            SHA512

            f4fbd4d6d571a2399b997269966623dcda83085a85476b4166dbe41c507519ded016a13f92e8a37c9ea5a8b756ed601fee302a6a8122f581efcd99771b975474

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            5575ef034e791d4d3b09da6c0c4ee764

            SHA1

            50a0851ddf4b0c4014ad91f976e953baffe30951

            SHA256

            9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

            SHA512

            ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

          • C:\Windows\SysWOW64\nod64.exe

            Filesize

            114KB

            MD5

            a7f52148e5518fbedbedd9097ed70183

            SHA1

            50ccb973e8f65810edbf951c3e50e2304e5bb69d

            SHA256

            2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6

            SHA512

            f2d2dc873bef9fe1096221ce046db358c9d3af3f573f484e7324f8b1e3e369059f0948a4b313a9d0f5aca6160e5d2d4dbb5fa3c75953319077be984d99677c43

          • \??\c:\a.bat

            Filesize

            5KB

            MD5

            0019a0451cc6b9659762c3e274bc04fb

            SHA1

            5259e256cc0908f2846e532161b989f1295f479b

            SHA256

            ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

            SHA512

            314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

          • memory/688-239-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/688-122-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/688-121-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/932-468-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/932-583-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/1080-1046-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3056-929-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3056-814-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3304-699-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3304-584-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3308-469-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3308-352-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3308-353-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3324-1161-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3324-1045-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3324-1044-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3544-199-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3544-0-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3544-2-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3544-1-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3704-421-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/3704-237-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/5108-927-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB

          • memory/5108-698-0x0000000000400000-0x000000000053C7BA-memory.dmp

            Filesize

            1.2MB